Switch from MbedTLS to OpenSSL

[eschnett]

Based on @fxcoudert's openssl branch and pull request at #53891.

• diff re-applied to current Julia master (hence the new commit)
• LibCURL, LibGit2, LibSSH2, OpenSSL updated to newest version
• MbedTLS removed

[eschnett]

Current to-do list:

• Understand how NetworkOptions and OpenSSL cooperate regarding CA roots. Possibly remove all NetworkOptions stuff from the OpenSSL_jll stdlib.
• NetworkOptions has some MbedTLS-specific code. This needs to be switched to OpenSSL.
• I added some OpenSSL CA-root work-around into the test cases. That should probably be removed again.
• Something is off with LibCURL. We need to decide what to do, at the moment likely just staying at an older version.

[giordano]

Something is off with LibCURL. We need to decide what to do, at the moment likely just staying at an older version.

If you mean with libcurl v8.10+ JuliaLang/Downloads.jl#260, JuliaLang/Downloads.jl#260 (comment) should fix it. But there are still other failures: JuliaLang/Downloads.jl#261

[eschnett]

This PR requires the two other PRs

• Enable OpenSSL certificates NetworkOptions.jl#36
• Update Manifest to avoid MbedTLS_jll Pkg.jl#4100

Currently these other PRs are hardcoded in stdlib/NetworkOptions.version and Pkg.version. That also needs to be undone.

[eschnett]

@giordano There is a likely-spurious test failure. Can you restart test x86_64-unknown-freebsd?

[eschnett]

@IanButterworth I don't see other errors, e.g. this works:

julia> using Downloads

julia> Downloads.download("https://github.com/eschnett/Pkg.jl")
"/tmp/jl_UvWhePmhGr"

[giordano]

Ok, now we're back to the point where Julia's own CI passes, but trying to load PyCall wreaks havoc:

$ julia +pr56708 --project -q
julia> using PyCall

julia> py"""
       import urllib.request
       with urllib.request.urlopen('http://python.org/') as response:
          html = response.read()
       """
ERROR: PyError ($(Expr(:escape, :(ccall(#= /home/mose/.julia/packages/PyCall/1gn3u/src/pyeval.jl:38 =# @pysym(:PyEval_EvalCode), PyPtr, (PyPtr, PyPtr, PyPtr), o, globals, locals))))) <class 'urllib.error.URLE
rror'>
URLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1007)'))

This is where we were stuck with #53891.

[giordano]

Should PyCall/PythonCall do something like

    py"""
    import ssl
    def create_julia_https_context():
        return ssl.create_default_context(cafile=$(NetworkOptions.bundled_ca_roots()))

    ssl._create_default_https_context = create_julia_https_context
    """

as suggested by @mkitti at #53891 (comment)? That does seem to work for me:

$ julia +pr56708 --project -q
julia> using PyCall, NetworkOptions

julia> py"""
       import ssl
       def create_julia_https_context():
           return ssl.create_default_context(cafile=$(NetworkOptions.bundled_ca_roots()))
       ssl._create_default_https_context = create_julia_https_context
       import urllib.request
       with urllib.request.urlopen('http://python.org/') as response:
           html = response.read()
       """

julia> py"html"
"<!doctype html>\n<!--[if lt IE 7]>   <html class=\"no-js ie6 lt-ie7 lt-ie8 lt-ie9\">   <![endif]-->\n<!--[if IE 7]>      <html class=\"no-js ie7 lt-ie8 lt-ie9\">          <![endif]-->\n<!--[if IE 8]>      <html class=\"no-js ie8 lt-ie9\">                 <![endif]-->\n<!--[if gt IE " ⋯ 50648 bytes ⋯ "s/IE8-min.8af6e26c7a3b.js\" charset=\"utf-8\"></script>\n    \n    \n    <![endif]-->\n\n    <!--[if lte IE 8]>\n
    <script type=\"text/javascript\" src=\"/static/js/plugins/getComputedStyle-min.d41d8cd98f00.js\" charset=\"utf-8\"></script>\n    \n    \n    <![endif]-->\n\n    \n\n    \n    \n\n</body>\n</html>\n"

CC @cjdoris @stevengj we really need your input here, otherwise this PR will be stuck again for ages and we don't move on.

[KristofferC]

Maybe asking for forgiveness is better than asking for permission here. As I understand it, this is quite important from a security standpoint so it if the ecosystem has to catch up for a while then so be it?

[DilumAluthge]

Are PyCall/PythonCall the only places in the ecosystem that this PR breaks?

Could we run a PkgEval on this PR, to see if any other parts of the ecosystem are broken by this PR?

[giordano]

This is the summary of last time I looked at PkgEval: #53891 (comment)

[giordano]

Reminder that before merging this PR the PRs to Pkg and NetworkOptions must be merged, and these files changed back to point to the original repo

[KristofferC]

Tests on Pkg doesn't pass until this is merged so it is a bit tricky.

[giordano]

Are there any tests that are run only on CI there, or we're good to have all tests passing on this PR (they were passing until yesterday or so)? We can do a coordinated merge of the three PRs, to reduce disruption.

[KristofferC]

I think it is fine to merge here and then when master updates rerun CI on Pkg and merge it there (and then update the commit again). The activity in the Pkg repo is not super high nowadays.

The alternative is to write the tests so that they pass both here and on master but that might be a bit more effort than it is worth.

[giordano]

The problem of merging this PR first is that it'd make its merge commit not buildable from source if Erik's branch or fork are deleted.

[DilumAluthge]

And thus can possibly break git bisect in the future?

[KristofferC]

We can merge it on Pkg with tests breaking if the manifest is the only test that matters. Or both manifests are checked in and the relevant one is renamed based on the version.

[giordano]

And thus can possibly break git bisect in the future?

Yeah, whenever someone needs to build a specific commit, git bisect is indeed my main concern.

[eschnett]

Let me know when is a good time to do so. (After doing so, many things will fail on this branch before these repos are updated. We should do so only shortly before merging.)

[eschnett]

For these files to be updated the respective changes to NetworkOptions and Pkg need to be merged first.

[mkitti]

Can we package mbedTLS as an independent package for other packages which may still have a hard dependency on it?

[quinnj]

Can we package mbedTLS as an independent package for other packages which may still have a hard dependency on it?

Separate from the existing mbedtls_jll and MbedTLS.jl packages that already exist?

[giordano]

@nanosoldier runtests()

[DilumAluthge]

I think the backticks are mandatory.

[DilumAluthge]

@nanosoldier runtests()

[nanosoldier]

The package evaluation job you requested has completed - possible new issues were detected.
The full report is available.

[eschnett]

Some interesting failures: EasyCurl, JLLPrefixes.
Some expected/benign failures: SciMLTutorials (stores Manifest.toml in the repository, fails because MbedTLS_jll isn't there any more)

[eschnett]

How do we proceed here?

[oscardssmith]

pressing the merge button? :)

[eschnett]

If you are worried about merging three PRs simultaneously: With semver, the technically correct path would be to declare compatibilities via version numbers (i.e. bumping the major version number of NetworkOptions.jl and Pkg.jl) and applying the patches there, and then merging this PR here.

[mkitti]

How do we make MbedTLS_jll available?

[eschnett]

@mkitti MbedTLS_jll is available via the standard package registry. If you add MbedTLS_jll in your project it'll be added in the usual way. Having it in your Project.toml as dependency suffices. See e.g. https://github.com/JuliaLang/MbedTLS.jl/blob/master/Project.toml .

This PR removes MbedTLS_jll from the Project.toml in Julia's stdlib directory because no stdlib depends on it any more.

Julia's build-from-source mechanism can operate in two ways, either building all stdlibs from source, or (and that's the default) downloading jlls from the package registry. This is how MbedTLS_jll is installed by default.

I don't know whether I'm answering your question or saying something trivial.

[mkitti]

What's the fix for SciMLTutorials? Could we out together that PR first?

[KristofferC]

The Pkg bump should at least be rebased on current Pkg master.

[eschnett]

The fix for SciMLTutorials is to update all the Manifest.toml files in the repository. I assume that a using Pkg; Pkg.instantiate() would be sufficient. Pkg.update() would also work.

[eschnett]

@KristofferC I updated the Pkg.jl PR.

[giordano]

I went through all the new 35 failures reported by PkgEval:

• issues to be solved in PyCall/PythonCall
  • PyArrow
  • Seaborn
  • NeidArchive
  • CometLogger
  • EcRequests
  • SunAsAStar
• packages that need to be adapted (e.g. simply need to re-resolve an environment, or adapt compat bounds)
  • JLLPrefixes
  • BinaryBuilderSources
  • BinaryBuilderAuditor
  • SciMLBenchmarks
  • SciMLTutorials
  • BenchmarkProfiles
  • GeoEstimation
• packages using libcurl API directly
  • EasyCurl
• unrelated failures (e.g. flaky tests, or with unreliable numerical tolerances)
  • BPGates
  • NumericalAlgorithms
  • GeoJSON
  • EulerAngles
  • NMRTools
  • TuePlots
  • BayesianQuadrature
  • UnivariateFunctions
  • LinearRationalExpectations
• didn't understand what's the issue, but likely unrelated (e.g. timeout)
  • EinExprs
  • ParallelAnalysis
  • OpenTelemetryExporterPrometheus
  • Yunir
  • GLPK
  • CDDLib
  • ODEInterfaceDiffEq
  • OrdinaryDiffEqQPRK
  • OrdinaryDiffEqFeagin
  • OrdinaryDiffEqHighOrderRK
  • IRKGaussLegendre
  • OceanRobots

If we're happy to let downstream developers fix the issues in their packages, e.g. for PyCall/PythonCall (the three BinaryBuilder-related ones are fine to ignore, issues should definitely be fixed in the package), then this is good to go from my point of view, as long as we decide what to do with the versions of the external stdlibs that need to be updated (I vote to merge the PRs to the external repos all together and then merge this PR, too, tests here are passing for julia + stdlibs)

[eschnett]

I merged in the master branch to resolve conflicts.